codeigniter4/framework is vulnerable to information disclosure. The vulnerability exists in the set_cookie
function because it does not reflect setting $secure
or $httponly
values to true in config or cookie, which exposes them to scripts, allowing an attacker to gain access to internal data.
CPE | Name | Operator | Version |
---|---|---|---|
codeigniter4/framework | le | v4.2.6 | |
codeigniter4/framework | le | v4.2.6 |
codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
github.com/codeigniter4/CodeIgniter4/issues/6540
github.com/codeigniter4/CodeIgniter4/pull/6544
github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
github.com/codeigniter4/framework/commit/011ce3bbda6f85930075a9b8fecbee01c4b23ab9
www.cve.org/CVERecord?id=CVE-2022-39284